lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 2 Jul 2010 14:17:01 +0200 (CEST)
From:	Jan Engelhardt <jengelh@...ozas.de>
To:	Patrick McHardy <kaber@...sh.net>
cc:	davem@...emloft.net, netfilter-devel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [PATCH 1/9] netfilter: nf_nat: support user-specified SNAT rules
 in LOCAL_IN


On Friday 2010-07-02 12:17, Patrick McHardy wrote:
>>
>> I still have not grasped why SNAT is needed in the INPUT path. For the
>> tunnel scenario that you wanted to build I could not find a reason to
>> do SNAT in that place - since the non-encapsulated packets don't go
>> through INPUT anyway.
>
> Sure they do, if they are destined for the host itself. I'm not sure
> what's so hard to understand about this patch, you have f.i. multiple
> tunnels using the same remote network, on INPUT and POSTROUTING you SNAT
> them to seperate networks based on criteria like the network device or
> the IPsec tunnel to be able to distinguish them.

But they are already distinguishable by the ctmark that is applied
to these connections to do routing of the reply, are they not?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ